A sophisticated Chinese hacking group, known as Salt Typhoon (or RedMike), continues to target telecommunications providers worldwide through vulnerable Cisco IOS XE network devices. According to Recorded Future’s Insikt Group, the attackers are exploiting two critical vulnerabilities: CVE-2023-20198 and CVE-2023-20273.

Recent Victims and Attack Scope
The campaign has successfully breached multiple telecommunications providers, including:
– U.S. internet service provider
– U.S.-based affiliate of a U.K. telecom provider
– South African telecom provider
– Italian ISP
– Major Thailand telecommunications provider

Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco devices, with more than half located in the U.S., South America, and India. The group has been observed compromising and reconfiguring Cisco devices to establish persistent access through GRE tunnels.

Previous Impact and Current Threat
The exploited vulnerabilities were previously used in zero-day attacks that compromised over 50,000 Cisco IOS XE devices. The campaign is part of a larger operation that affected major U.S. carriers including AT&T, Verizon, and Charter Communications, where attackers accessed sensitive communications and law enforcement wiretapping platforms.

Security Recommendations
Network administrators are strongly advised to:
– Apply available security patches immediately
– Limit exposure of administration interfaces
– Restrict access to non-essential services
– Follow industry best practices for securing management protocols

The Salt Typhoon group, active since 2019, continues to pose a significant threat to telecommunications infrastructure globally, particularly targeting exposed Cisco devices for cyber-espionage operations.